Hide API Endpoint, Project ID, Database ID etc in front end?

So here is a noob question (maybe even dumb?) but I need to ask it. I have a vue app which connects to my Appwrite instance using the API endpoint, project ID and it reads and writes using the Database ID etc. I guess those variabes have to be part of the front end in a production scenario. But how does Appwrite know which requests are legitimate and not? My vue-app does not really "authenticate" itself in any way. Is it through role/user settings in auth + limits to API calls per time unit? Can access to the endpoint and ID-strings above hurt me in production and do I have to hide/obfuscate them somehow (as we do with e.g. SMTP Keys using environment variables inside appwrite).

TL;DR

The user is asking if it is necessary to hide the API endpoint, project ID, and database ID in the front end of a Vue app that connects to an Appwrite instance. They are concerned about the security implications and how Appwrite determines legitimate requests. The solution is to require authentication and set up server-side validation using permissions. There is no need to hide or obfuscate the endpoint and ID strings.

endpoint, project id, are fine to be public. it's the same as working with any sort of backend. the client MUST have this information in order to connect.

the best way to lock things down is by requiring authentication and setting up server side validation via permissions

Thanks @Steven ! This was my assumption, but didn't want to assume too much when it comes to these topics 🙂

Happy to help. And the most important thing is to not use API keys client side!

Reply to this thread by joining our Discord

Reply on Discord

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more

Recommended threads

Need support?

Join our Discord

Get premium support